A-MAZE-X CTF Walkthrough | Part 0
This post belongs to a series of articles dedicated to solving the DeFi challenges hosted by Secureum at Stanford University on the past 26 of August.
Additionally, this series is part of a greater series called A journey into smart contract security.
AMAZE-X CTF Walkthrough (repo)
- Intro to the series — Part 0 (posted 21/09)
- Challenge0.VToken — Part I (posted 22/09)
- Challenge1.lenderpool — Part II (posted 27/09)
- Challenge2.DEX — Part III (posted 4/10)
- Challenge3.borrow_system — Part IV (posted 08/10)
Table of contents
- Introduction
1.1 Some context - The CTF
- How to play
3.1 Solving a challenge (from the GitHub repo)
3.2 Tips - My offer to you
Introduction
Hi and welcome! The intention of the following articles is to share real personal experiences written in a way that it reads almost like a story, including all the mistakes I make along the road.
Some context
Last week I attended the second edition of the local convention called GEERS. It is targeted at blockchain curious that want to delve deeper into the technical side of the Ethereum ecosystem.
There I met Alan Verbner, Co-Founder y CTO of Atix Lab, a company recently acquired by Globant, and he mentioned something about a friend making a CTF for a workshop.
The CTF
The challenges that will discuss in this series were hosted on the past 25 of August by Stanford University as part of Defi Security 101, built by eugenioclrc and luksgrin.
Important note (by the authors)
This set of challenges aren’t set for competitive purposes. Their main objective is to showcase scenarios involving DeFi,
Solidityconcepts and common vulnerabilities.Focus on learning and having fun!
How to play
At the moment of this writing, there are at least 6 different ways of playing. I decided to pick the option where you run the challenges locally with Hardhat 💛.
git clone git@github.com:eugenioclrc/DeFi-Security-Summit-Stanford.git
cd DeFi-Security-Summit-Stanford
git checkout hardhat
yarnSolving a challenge (from the GitHub repo)
Challenge contracts are located under the hardhat_flavor/contracts/ directory. Do not modify them, as it may lead to unexpected behaviors within the challenges.
To solve a challenge, you must do the following:
- Create an exploit contract(s) within the appropriate
hardhat_flavor/contracts/exploits/ExploitX.solfile. - Complete the necessary
JavaScriptcode (in the signalized area) within the appropriatehardhat_flavor/test/solveChallengeX.jsfile.
Note that this procedure has to be done for each challenge.
Then, to check if the challenge has been solved, execute the following command
npx hardhat test test/solveChallengeX.jsIf the solution criteria have been reached, it shall display the following message
Solve Challenge X
✔ Check if required condition has been met (XXXms)
1 passing (XXXms)Alternatively, to check if all challenges have been solved, execute the following command:
npx hardhat testwhich will return the test results for all challenges in order.
Tips
If you checked out the repository you probably saw that besides the solutions for the challenges, which are provided in every flavor — in our case that would be Hardhat —, there are some tips for each exercise.
I suggest not looking at any of them and using them only as a last resource. And don't worry, I am going to mention the tips for each challenge eventually.
My offer to you
As I mentioned above, the approach I am going to use will be documenting the process as much as possible, even my wrong turns, but trying to be as brief as that can be in order to keep it entertained.
To ease the content on this occasion we will try to use as few tools as possible, and guess as many things as we can before diving in.
So… are you ready for the first challenge?
See you in the next post! ➡️
Thanks for reading! My name is Matt, and I’m learning how to make Ethereum more secure. I will be sharing some things from time to time.
Follow me on twitter @mattaereal.
